Network Working Group                                    P. Hallam-Baker
Internet-Draft                                         Comodo Group Inc.
Intended status: Informational                            April 11, 2018
Expires: October 13, 2018


                Mathematical Mesh: Application Profiles
                     draft-hallambaker-mesh-app-02

Abstract

   The use of the Mathematical Mesh to manage cryptographic keys for use
   with Mail and SSH is described.  The format of the application
   profiles is described with examples.

   This document is also available online at
   http://prismproof.org/Documents/draft-hallambaker-mesh-app.html [1] .

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 13, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of




Hallam-Baker            Expires October 13, 2018                [Page 1]


Internet-Draft                  Mesh/SSH                      April 2018


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .   3
     2.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
     2.2.  Related Specifications  . . . . . . . . . . . . . . . . .   3
     2.3.  Defined Terms . . . . . . . . . . . . . . . . . . . . . .   3
     2.4.  Implementation Status . . . . . . . . . . . . . . . . . .   4
   3.  Mesh Application Profiles . . . . . . . . . . . . . . . . . .   4
   4.  Catalog Profiles  . . . . . . . . . . . . . . . . . . . . . .   4
     4.1.  Catalog Example . . . . . . . . . . . . . . . . . . . . .   4
     4.2.  Credentials . . . . . . . . . . . . . . . . . . . . . . .   6
       4.2.1.  Credentials Example . . . . . . . . . . . . . . . . .   6
     4.3.  Bookmarks . . . . . . . . . . . . . . . . . . . . . . . .   6
     4.4.  Contacts  . . . . . . . . . . . . . . . . . . . . . . . .   7
       4.4.1.  Contacts Example  . . . . . . . . . . . . . . . . . .   7
     4.5.  Calendar  . . . . . . . . . . . . . . . . . . . . . . . .   7
   5.  Mail  . . . . . . . . . . . . . . . . . . . . . . . . . . . .   8
     5.1.  Mail Example  . . . . . . . . . . . . . . . . . . . . . .   9
   6.  SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
     6.1.  SSH Example . . . . . . . . . . . . . . . . . . . . . . .  10
   7.  Catalog Application Profiles  . . . . . . . . . . . . . . . .  10
     7.1.  Shared  . . . . . . . . . . . . . . . . . . . . . . . . .  10
       7.1.1.  Structure: ApplicationProfileCatalog  . . . . . . . .  10
       7.1.2.  Structure: CatalogEntry . . . . . . . . . . . . . . .  10
       7.1.3.  Structure: TypedData  . . . . . . . . . . . . . . . .  11
     7.2.  Credential Catalog  . . . . . . . . . . . . . . . . . . .  11
       7.2.1.  Structure: CredentialProfile  . . . . . . . . . . . .  11
       7.2.2.  Structure: CredentialProfilePrivate . . . . . . . . .  11
       7.2.3.  Structure: CredentialEntry  . . . . . . . . . . . . .  12
     7.3.  Bookmark Catalog  . . . . . . . . . . . . . . . . . . . .  12
       7.3.1.  Structure: BookmarkProfile  . . . . . . . . . . . . .  12
       7.3.2.  Structure: BookmarkProfilePrivate . . . . . . . . . .  12
       7.3.3.  Structure: BookmarkEntry  . . . . . . . . . . . . . .  12
     7.4.  Contact Catalog . . . . . . . . . . . . . . . . . . . . .  13
       7.4.1.  Structure: ContactProfile . . . . . . . . . . . . . .  13
       7.4.2.  Structure: ContactProfilePrivate  . . . . . . . . . .  13
       7.4.3.  Structure: ContactEntry . . . . . . . . . . . . . . .  13
       7.4.4.  Structure: PersonalName . . . . . . . . . . . . . . .  13
       7.4.5.  Structure: Address  . . . . . . . . . . . . . . . . .  14
       7.4.6.  Structure: Internet . . . . . . . . . . . . . . . . .  14
       7.4.7.  Structure: Postal . . . . . . . . . . . . . . . . . .  14
       7.4.8.  Structure: ContactPerson  . . . . . . . . . . . . . .  14
       7.4.9.  Structure: ContactOrganization  . . . . . . . . . . .  15
       7.4.10. Structure: NetworkProfile . . . . . . . . . . . . . .  15



Hallam-Baker            Expires October 13, 2018                [Page 2]


Internet-Draft                  Mesh/SSH                      April 2018


       7.4.11. Structure: NetworkProfilePrivate  . . . . . . . . . .  15
       7.4.12. Structure: NetworkEntry . . . . . . . . . . . . . . .  15
     7.5.  Mail Application Profile Objects  . . . . . . . . . . . .  15
       7.5.1.  Structure: MailProfile  . . . . . . . . . . . . . . .  15
       7.5.2.  Structure: MailDevicePublic . . . . . . . . . . . . .  16
       7.5.3.  Structure: MailProfilePrivate . . . . . . . . . . . .  16
       7.5.4.  Structure: MailDevicePrivate  . . . . . . . . . . . .  17
     7.6.  SSH Application Profile Objects . . . . . . . . . . . . .  17
       7.6.1.  Structure: SSHProfile . . . . . . . . . . . . . . . .  17
       7.6.2.  Structure: SSHDevicePublic  . . . . . . . . . . . . .  17
       7.6.3.  Structure: SSHProfilePrivate  . . . . . . . . . . . .  18
       7.6.4.  Structure: HostEntry  . . . . . . . . . . . . . . . .  18
       7.6.5.  Structure: SSHDevicePrivate . . . . . . . . . . . . .  18
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  19
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  19
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  19
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  19
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  19
     11.2.  Informative References . . . . . . . . . . . . . . . . .  19
     11.3.  URIs . . . . . . . . . . . . . . . . . . . . . . . . . .  20
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  20

1.  Introduction

2.  Definitions

   This section presents the related specifications and standard, the
   terms that are used as terms of art within the documents and the
   terms used as requirements language.

2.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119] .

2.2.  Related Specifications

   The related specifications are described in the Mesh Architecture
   specification [draft-hallambaker-mesh-architecture]

2.3.  Defined Terms

   No terms of art are defined.







Hallam-Baker            Expires October 13, 2018                [Page 3]


Internet-Draft                  Mesh/SSH                      April 2018


2.4.  Implementation Status

   The implementation status of the reference code base is described in
   the companion document [draft-hallambaker-mesh-developer] .

3.  Mesh Application Profiles

   (Pull piece from Mesh Reference to here)

4.  Catalog Profiles

   Catalog profiles are used to synchronize encrypted data sets across
   devices.  The catalog data model is restricted so as to permit a
   common set of management tools to be used to access and maintain
   profiles containing different types of data (bookmarks, credentials,
   contacts, etc.).  Catalogs do not contain per device data.  A catalog
   may not be shared with every device in the user?s profile but all the
   data in a catalog is available to all the devices with which it is
   shared.

   The management operations supported are:

   Synchronization  Permit user to add, delete and update entries from
      multiple devices with minimal surprise.  The mechanism is designed
      to be reasonably robust if network connectivity is lost during an
      attempted update.

   Labelling  Allow entries to be grouped into hierarchical categories
      defined by the user.  An entry may be added to more than one
      category at once.

   Each catalog entry SHOULD contain exactly one timestamp field of time
   Added, Updated or Deleted.  If present, the timestamp entries and the
   entry identifiers are used to merge catalog profiles that have been
   updated separately leading to an inconsistent state.

   Applications SHOULD specify a timestamp field on every entry unless
   it is known that update inconsistency cannot occur.  For example,
   when initially populating a catalog.

4.1.  Catalog Example

   Alice creates a new bookmarks profile which is shared between her
   laptop and her phone.  The initial profile is empty:







Hallam-Baker            Expires October 13, 2018                [Page 4]


Internet-Draft                  Mesh/SSH                      April 2018


   {
     "BookmarkProfilePrivate": {
       "Entries": []}}

                                 Figure 1

   Alice adds a bookmark entry to her profile on the browser on her
   laptop:

   {
     "BookmarkProfilePrivate": {
       "Entries": [{
           "Added": "2018-04-11T17:01:08Z",
           "Title": "First Site",
           "Uri": "http://example.com/"}]}}

                                 Figure 2

   Later, Alice is attempting to connect to a site on her phone but has
   no network connection.  She decides to bookmark the site instead.

   {
     "BookmarkProfilePrivate": {
       "Entries": [{
           "Added": "2018-04-11T18:35:46Z",
           "Title": "Second Site",
           "Uri": "https://example.com/"}]}}

                                 Figure 3

   At this point, the profiles on Alice's two devices are out of sync.
   When the phone is finally able to connect to the network, the
   profiles are merged:

   {
     "BookmarkProfilePrivate": {
       "Entries": [{
           "Added": "2018-04-11T17:01:08Z",
           "Title": "First Site",
           "Uri": "http://example.com/"},
         {
           "Added": "2018-04-11T18:35:46Z",
           "Title": "Second Site",
           "Uri": "https://example.com/"}]}}

                                 Figure 4





Hallam-Baker            Expires October 13, 2018                [Page 5]


Internet-Draft                  Mesh/SSH                      April 2018


4.2.  Credentials

   A credentials catalog contains access credentials, typically
   usernames and passwords, for a set of network resources such as Web
   sites that do not support the use of Mesh device profile data for
   authentication.

   Mesh/Credential enabled applications SHOULD offer to generate strong
   passwords for the user if the AutoGenerate field is set to true in
   the credential profile.  Since the use of automatically generated
   passwords is likely to be inconvenient for users unless all the
   applications on all the devices they might use support Mesh/
   Credential profiles, applications MUST NOT automatically generate
   passwords unless the user has affirmatively indicated that they want
   to use them.

   Further Work: Credential entries MAY specify that the credential is
   restricted to use with certain protocols (Web browsing, SFTP, etc.)
   and/or certain authentication mechanisms but the precise means of
   identifying both is not currently defined.

4.2.1.  Credentials Example

   {
     "CredentialProfilePrivate": {
       "AutoGenerate": true,
       "Entries": [{
           "Sites": ["luggage.example.net"],
           "Username": "Alice",
           "Password": "12345"},
         {
           "Label": ["Linux"],
           "Sites": ["host.example.net"],
           "Username": "BitAlice",
           "Password": "password",
           "Protocol": "ssh"}],
       "NeverAsk": ["secure.example.com",
         "bank.example.com"]}}

                                 Figure 5

4.3.  Bookmarks

   A bookmarks catalog contains a collection of bookmarks that have been
   saved for later use.  While the ability share bookmarks between
   groups of users has obvious advantages, at present, the
   implementation and specification are only written with the use of a
   single user have been considered.



Hallam-Baker            Expires October 13, 2018                [Page 6]


Internet-Draft                  Mesh/SSH                      April 2018


   A bookmark entry contains the URI of the target and a title.  If the
   book mark entry is a HTML resource, the title is taken from the
   <title> element in the document header.  If network and storage
   resources permit, catalog entries MAY include a favicon value for
   easy identification.

   Further Work: Bookmark entries MAY contain details describing the
   security properties of the connection to protect against downgrade
   attack.  For example, information from HTTP strict security [RFC6797]
   and key pinning headers [RFC7460] .

   tbs

4.4.  Contacts

   A contacts catalog contains a collection of contacts.  The
   ContactEntry object contains the usual fields for describing the
   person or organization the entry refers to, and means of contact
   (Internet, Postal).

   One significant deviation from existing formats is that the fact that
   people change names (e.g. marriage) is captured and that means of
   contact MAY be scoped to a particular organization.

4.4.1.  Contacts Example

   {
     "ContactProfilePrivate": {
       "Entries": [{
           "Personals": [{
               "First": "Alice"}],
           "Internets": [{
               "Uri": "mailto:alice@example.com"}]},
         {
           "Personals": [{
               "First": "Bob"}],
           "Internets": [{
               "Uri": "mailto:bob@example.com"}]}]}}

                                 Figure 6

4.5.  Calendar

   It is generally acknowledged that representation of calendar
   information is a ?difficult? problem.  Since it is the author?s
   experience that such problems almost invariably arise from an attempt
   to make use of an inadequate data model, the format for exchange of
   calendar information is currently undefined.



Hallam-Baker            Expires October 13, 2018                [Page 7]


Internet-Draft                  Mesh/SSH                      April 2018


   Further Work: Two major causes of difficulty are the use of local
   time zones and daylight savings, the definition of which are
   capricious at best.  When a recurring meeting is specified it is
   vital that the time zone in which the meeting is to recur is
   specified explicitly.  Attempts to normalize meetings to a single
   time zone will inevitably fail when the definition of time changes
   between the time the meeting is called and the meeting is held.

   Another major limitation in existing formats is the lack of
   understanding that when the user travels, at least some part of their
   context for scheduling also changes.  It should be possible to
   integrate all parts of the user?s schedule to offer alerts and
   reminders appropriate to their current location.

5.  Mail

   Mesh Mail profiles serve two distinct purposes:

   o  To provision a user?s devices with the credentials, network
      configuration and cryptographic keys necessary to support use of
      mail and end-to-end mail security enhancements.

   o  To publish necessary information for use by mail senders.

   o  While the principle focus of Mesh/Mail is to support exchange of
      mail over SMTP protocol, any infrastructure that provides a
      mechanism for publishing a recipient?s public keys for use by
      senders can, at least in principle, also publish information
      describing the user?s mail capabilities including the ability to
      support new messaging protocols.

   o  The use of end-to-end secure protocols requires the generation and
      use of at least one public key pair for signature and encryption.
      Best current practices require the use of separate keypairs for
      signature and encryption and if practical separate signature keys
      for each device.

   o  Since S/MIME and OpenPGP as currently specified do not support the
      use of Proxy Re-Encryption (recryption) to enable separate the use
      of separate decryption keys for each device, a single encryption
      keypair is used.  A mail profile must therefore contain an
      encrypted copy of the corresponding decryption key for each
      device.

   o  Further Work: Support Signal etc.  At present the profiles are not
      differentiated on a per device level.  It is likely that it would
      be useful to specify that certain devices are to carry a complete
      copy of the user?s mail while others should only carry messages



Hallam-Baker            Expires October 13, 2018                [Page 8]


Internet-Draft                  Mesh/SSH                      April 2018


      from the last few weeks or months.  It is also likely that it
      would be useful to be able to mark certain selections as being
      likely to be most useful offline.

5.1.  Mail Example

6.  SSH

   The Secure Shell (SSH) transport layer protocol [RFC4253] is widely
   used as a mechanism for securing access to remote hosts.  In addition
   to providing a terminal connection to a remote host, SSH also
   supports file transfer and remote access (VPN) functionality.  It is
   also used to provide remote procedure call (RPC) capabilities in
   applications such as Git.

   While SSH permits a high level of security to be achieved, achieving
   a high security configuration requires a considerable degree of
   attention to detail.  Numerous ?how to? guides found on the Internet
   advise the user to engage in many unsafe practices.  These include:

   Using a single private key for authentication for every machine to be
   used as a client.

   Emailing a copy of the authentication key to yourself to transfer it
   to a new machine.  (Alternatively use of insecure FTP, copying the
   data to /temp, etc.)

   Of equal concern was the fact that none of the guides mentioned any
   form of maintenance activity such as deleting authentication keys for
   a decommissioned device or performing a rekey operation in the case
   that a device is compromised.

   Configuring SSH securely is a non-trivial task because SSH is the
   tool through which the administrator will be connecting to secure
   their system.  This is a bootstrap problem: It is easy to solve the
   problem of SSH configuration once we have SSH configured for use.  To
   enable SSH access to a machine without creating an insecure path
   first is not a trivial matter.

   A Mesh/SSH profile contains three sets of information:

   o  A set of the user?s public authentication keys.  This is used to
      generate auth_hosts files and equivalents to enable the user to
      access machines.

   o  A set of hosts known to the user.  This is encrypted as it shows
      the machines that the user at least is likely to visit.  This is




Hallam-Baker            Expires October 13, 2018                [Page 9]


Internet-Draft                  Mesh/SSH                      April 2018


      used to generate known_hosts files and equivalents to enable the
      user to authenticate hosts.

   o  A set of device key entries.  The entry for each host is
      encrypted.  This is used to create the private key file(s) for the
      user on each of their devices.

6.1.  SSH Example

7.  Catalog Application Profiles

   Catalogues are application profiles that consist of a set of related
   information (contacts, passwords, bookmarks) but do not contain any
   cryptographic private keys or device specific data.  These
   restrictions allow management of these profiles to be simplified.

7.1.  Shared

   The following objects are common to multiple profiles.

7.1.1.  Structure: ApplicationProfileCatalog

   Inherits: ApplicationProfile

   Base class for all application profiles that are tied to an account
   profile

   AccountIdentifier: String (Optional)  The account to which this
      profile is bound

   PersonalUDF: String (Optional)  The person to which this profile is
      bound

7.1.2.  Structure: CatalogEntry

   Base class for catalog entries, contains base information on which
   catalog operations are performed.

   ID: String (Optional)  Unique identifier for the entry.  If present,
      overrides the identifier specified in the entry.

   Added: DateTime (Optional)  The time the site was added

   Updated: DateTime (Optional)  The last time the entry was updated

   Deleted: DateTime (Optional)  The last time the entry was updated





Hallam-Baker            Expires October 13, 2018               [Page 10]


Internet-Draft                  Mesh/SSH                      April 2018


   Label: String [0..Many]  Labels identifying the group(s) that the
      entry is filed under

   Source: TypedData [0..Many]  Source data for the entry

7.1.3.  Structure: TypedData

   Typed content.

   ContentType: String (Optional)  IANA Content Type identifier

   Data: Binary (Optional)  The described data

7.2.  Credential Catalog

   Profile for recording access credentials for Web sites and other
   projects.  Currently this is limited to usernames and passwords but
   could expand to include other credential forms.

7.2.1.  Structure: CredentialProfile

   Inherits: ApplicationProfileCatalog

   Stores usernames and passwords.  There are no public fields.

   [No fields]

7.2.2.  Structure: CredentialProfilePrivate

   Inherits: ApplicationProfilePrivate

   Private part of the profile.

   AutoGenerate: Boolean (Optional)  If true, a client MAY offer to
      automatically generate strong (i.e. not memorable) passwords for a
      user.  A user would not normally want to use this feature unless
      they have access to Mesh password management on every device they
      use to browse the Web

   Entries: CredentialEntry [0..Many]  A list of password credential
      entries.

   NeverAsk: String [0..Many]  A list of domain names of sites for which
      clients MUST NOT ask to store passwords for.







Hallam-Baker            Expires October 13, 2018               [Page 11]


Internet-Draft                  Mesh/SSH                      April 2018


7.2.3.  Structure: CredentialEntry

   Inherits: CatalogEntry

   Username password entry for a single site

   Sites: String [0..Many]  DNS name of site *.example.com matches
      www.example.com etc.

   Username: String (Optional)  Case sensitive username

   Password: String (Optional)  Case sensitive password.

   Protocol: String (Optional)  Protocol identifier, e.g. http, sftp,
      ssh, etc.

7.3.  Bookmark Catalog

   Profile for recording Web site bookmarks and related information.

7.3.1.  Structure: BookmarkProfile

   Inherits: ApplicationProfileCatalog

   Stores Web site bookmarks in a hierarchical

   [No fields]

7.3.2.  Structure: BookmarkProfilePrivate

   Inherits: ApplicationProfilePrivate

   Private part of the profile.

   Entries: BookmarkEntry [0..Many]  The bookmark entries

7.3.3.  Structure: BookmarkEntry

   Inherits: CatalogEntry

   Bookmark entry for a single site

   Title: String (Optional)  The resource name

   Uri: String (Optional)  The resource identifier

   ImageUDF: String [0..Many]  UDF fingerprint of related favicon image




Hallam-Baker            Expires October 13, 2018               [Page 12]


Internet-Draft                  Mesh/SSH                      April 2018


7.4.  Contact Catalog

   Profile for recording user contact information

7.4.1.  Structure: ContactProfile

   Inherits: ApplicationProfileCatalog

   Stores Web site bookmarks in a hierarchical

   [No fields]

7.4.2.  Structure: ContactProfilePrivate

   Inherits: ApplicationProfilePrivate

   Private part of the profile.

   Entries: ContactEntry [0..Many]  The contact entries

7.4.3.  Structure: ContactEntry

   Inherits: CatalogEntry

   Contact entry

   Personals: PersonalName [0..Many]  Personal names.

   MeshUDFs: String [0..Many]  List of mesh profiles fingerprints for
      the user.

   Internets: Internet [0..Many]  List of Internet, telephone, etc
      addresses for contacting this party

   Postals: Postal [0..Many]  List of postal addresses for this party

7.4.4.  Structure: PersonalName

   Personal name structure.

   First: String (Optional)  First name

   Last: String (Optional)  Last name

   Midle: String (Optional)  Middle names (if used).






Hallam-Baker            Expires October 13, 2018               [Page 13]


Internet-Draft                  Mesh/SSH                      April 2018


7.4.5.  Structure: Address

   Contact address.

   Label: String [0..Many]  Labels identifying the modes in which the
      label may be used e.g.  Home, Business, Mobile

   Attributes: String [0..Many]  Attributes describing the mode in which
      the contact address may be used.

7.4.6.  Structure: Internet

   Internet contact address

   Inherits: Address

   Inherits: Address

   Uri: String (Optional)  The resource identifier describing the mode
      of contact

7.4.7.  Structure: Postal

   Postal or geographic address.

   Inherits: Address

   Inherits: Address

   Adressee: String (Optional)  The postal name

   Street: String (Optional)  Street name and number

   Town: String (Optional)  Name of town or city

   Region: String (Optional)  State, county, department or other
      government unit.

   Country: String (Optional)  The country name

   Code: String (Optional)  The ISO 3 letter country code

7.4.8.  Structure: ContactPerson

   Inherits: ContactEntry

   Contact entry for a single person




Hallam-Baker            Expires October 13, 2018               [Page 14]


Internet-Draft                  Mesh/SSH                      April 2018


   FullName: String (Optional)  The name of the person

   Organization: String [0..Many]  The name of the organizations the
      person is associated with

7.4.9.  Structure: ContactOrganization

   Inherits: ContactEntry

   Contact entry for a single organization

   FullName: String (Optional)  The name of the organization

7.4.10.  Structure: NetworkProfile

   Inherits: ApplicationProfileCatalog

   Stores usernames and passwords.  There are no public fields.

   [No fields]

7.4.11.  Structure: NetworkProfilePrivate

   Inherits: ApplicationProfilePrivate

   Private part of the profile.

   AccessPoints: NetworkEntry [0..Many]  A list of access point entries

   VPNs: NetworkEntry [0..Many]  A list of VPN entries

7.4.12.  Structure: NetworkEntry

   Inherits: CredentialEntry

   Describes network access credentials

   Configuration: String (Optional)  Network configuration data.

7.5.  Mail Application Profile Objects

   Profiles that describe mail user agent configuration

7.5.1.  Structure: MailProfile

   Inherits: ApplicationProfile





Hallam-Baker            Expires October 13, 2018               [Page 15]


Internet-Draft                  Mesh/SSH                      April 2018


   Public profile describes mail receipt policy.  Private describes
   Sending policy

   EncryptionPGP: PublicKey (Optional)  The current OpenPGP encryption
      key

   EncryptionSMIME: PublicKey (Optional)  The current S/MIME encryption
      key

7.5.2.  Structure: MailDevicePublic

   Contains public device description

   Inherits: ApplicationDevicePublic

   [No fields]

7.5.3.  Structure: MailProfilePrivate

   Inherits: ApplicationProfilePrivate

   Describes a mail account configuration

   Private profile contains connection settings for the inbound and
   outbound mail server(s) and cryptographic private keys.  Public
   profile may contain security policy information for the sender.

   EmailAddress: String (Optional)  The RFC822 Email address. [e.g.
      "alice@example.com"]

   ReplyToAddress: String (Optional)  The RFC822 Reply toEmail address.
      [e.g. "alice@example.com"]

      When set, allows a sender to tell the receiver that replies to
      this account should be directed to this address.

   DisplayName: String (Optional)  The Display Name. [e.g.  "Alice
      Example"]

   AccountName: String (Optional)  The Account Name for display to the
      app user [e.g.  "Work Account"]

   Inbound: Connection [0..Many]  The Inbound Mail Connection(s).  This
      is typically IMAP4 or POP3

      If multiple connections are specified, the order in the sequence
      indicates the preference order.




Hallam-Baker            Expires October 13, 2018               [Page 16]


Internet-Draft                  Mesh/SSH                      April 2018


   Outbound: Connection [0..Many]  The Outbound Mail Connection(s).
      This is typically SMTP/SUBMIT

      If multiple connections are specified, the order in the sequence
      indicates the preference order.

   Sign: PublicKey [0..Many]  The public keypair(s) for signing and
      decrypting email.

      If multiple public keys are specified, the order indicates
      preference.

   Encrypt: PublicKey [0..Many]  The public keypairs for encrypting and
      decrypting email.

      If multiple public keys are specified, the order indicates
      preference.

7.5.4.  Structure: MailDevicePrivate

   Private data specific to the device

   Inherits: ApplicationDevicePrivate

   [No fields]

7.6.  SSH Application Profile Objects

   Profiles that describe SSH user agent configuration

7.6.1.  Structure: SSHProfile

   Application profile for SSH.  This is an initial cut of the profile
   and will need revision.  In particular, a sysadmin with a very large
   number of hosts they are accessing will need some means of avoiding
   combinatorial explosion.

   Inherits: ApplicationProfile

   [No fields]

7.6.2.  Structure: SSHDevicePublic

   Contains public device description

   Inherits: ApplicationDevicePublic

   Inherits: ApplicationDevicePublic



Hallam-Baker            Expires October 13, 2018               [Page 17]


Internet-Draft                  Mesh/SSH                      April 2018


   PublicKey: PublicKey (Optional)  Public authentication key for a
      device.

7.6.3.  Structure: SSHProfilePrivate

   Private portion or profile.

   Inherits: ApplicationProfilePrivate

   Inherits: ApplicationProfilePrivate

   Account: String (Optional)  The account to which the profile is bound

   HostEntries: HostEntry [0..Many]  Hosts bound to the profile

7.6.4.  Structure: HostEntry

   Describe a host connected to the SSH profile.  This is a machine that
   the user will access using the credential.

   Inherits: Entry

   Inherits: Entry

   Address: String (Optional)  The DNS address or IP address of the host

   AlgorithmID: String (Optional)  The SSH Algorithm identifier

   PublicKey: String (Optional)  The Base64 encoded public key

7.6.5.  Structure: SSHDevicePrivate

   Private data specific to the device

   Inherits: ApplicationDevicePrivate

   Inherits: ApplicationDevicePrivate

   DevicePrivateKey: PublicKey (Optional)  A private keypair or keypair
      contribution created for exclusive use of this device.

   KeyUDF: String (Optional)  Fingerprint of device that this key
      corresponds to.








Hallam-Baker            Expires October 13, 2018               [Page 18]


Internet-Draft                  Mesh/SSH                      April 2018


8.  Acknowledgements

   Your name could appear here.

9.  Security Considerations

   [This is just a sketch for the present.]

10.  IANA Considerations

   [TBS list out all the code points that require an IANA registration]

11.  References

11.1.  Normative References

   [draft-hallambaker-mesh-architecture]
              Hallam-Baker, P., "Mathematical Mesh: Architecture",
              draft-hallambaker-mesh-architecture-04 (work in progress),
              September 2017.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997.

   [RFC4253]  Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
              Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253,
              January 2006.

   [RFC6797]  Hodges, J., Jackson, C., and A. Barth, "HTTP Strict
              Transport Security (HSTS)", RFC 6797,
              DOI 10.17487/RFC6797, November 2012.

   [RFC7460]  Chandramouli, M., Claise, B., Schoening, B., Quittek, J.,
              and T. Dietz, "Monitoring and Control MIB for Power and
              Energy", RFC 7460, DOI 10.17487/RFC7460, March 2015.

11.2.  Informative References

   [draft-hallambaker-mesh-developer]
              Hallam-Baker, P., "Mathematical Mesh: Reference
              Implementation", draft-hallambaker-mesh-developer-06 (work
              in progress), April 2018.








Hallam-Baker            Expires October 13, 2018               [Page 19]


Internet-Draft                  Mesh/SSH                      April 2018


11.3.  URIs

   [1] http://prismproof.org/Documents/draft-hallambaker-mesh-app.html

Author's Address

   Phillip Hallam-Baker
   Comodo Group Inc.

   Email: philliph@comodo.com









































Hallam-Baker            Expires October 13, 2018               [Page 20]